Extracted

Extracted

• • Target

    NiptuneRAT-main.7z

  • Size

    59.8MB

  • MD5

    b0a9e59c9d88a91d61faa639f2cc8d5f

  • SHA1

    4f82c76dc2a6637f5f4575646cae4c84bbe2f62a

  • SHA256

    7aa07e1ad45026323d6a51af1a5e3e762cc4670d772e043e04d13c558b5eb0fb

  • SHA512

    592e1ff69ebbce29ef746badc494b17e8f660634a097f439c38e57a36da6701405752a55ba0e164d5a030883fb81518fc1929aed7f3a75837d742e9babad95d3

  • SSDEEP

    1572864:ipxJYt13T6VBt3bQgzw4hHnGOrb7u5sO9:S6tgVBt3bQgU4hHGOv7uWO9

  Score

  10^/10

  neshtanjratupdatessevasionexecutionpersistencespywarestealertrojan

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Neshta payload

  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat

  • Blocklisted process makes network request

  • Modifies Windows Firewall

    evasion

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies system executable filetype association

    persistence

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1